More results...

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
docs
betterdocs_faq

Password Strength Policy

  • Created on June 30, 2026
Updated on June 30, 2026

9 min to read

Table of contents

Overview

The Password Strength setting controls the minimum complexity that all users must satisfy when creating or changing a password in Classter. By selecting a strength level, the institution defines a security baseline that the system enforces automatically — every time a user enters a new password, whether during first-time account creation, a forgotten-password reset, or a voluntary password change from their profile.

When a user submits a password that does not meet the configured level, the system rejects it and displays a plain-language error message explaining exactly what the password must contain. The user must correct the password before the action can continue.

This setting is found in:

  • Settings Module > Core > Security Settings > Basic Security Settings > Password Strength

 

 

Where It Is Used

The password strength requirement is checked in three distinct situations:

 

Online Admission / Self-Registration

When an applicant (Student or other portal user) registers for an account through the institution’s online registration page, the password they choose is validated against the configured policy before the account is created. If the password does not meet the requirements, the registration form cannot be submitted.

 

Forgot Password / Password Reset

When any portal user — Student, Parent/Guardian, Teacher, Secretary, or other staff member — uses the Forgot Password link to regain access to their account, the new password they set must comply with the policy. A non-compliant password will be rejected, and the reset will not complete until the user enters a password that meets the requirement.

 

Change Password (User Profile)

When any logged-in user navigates to their profile and voluntarily changes their password, the new password must comply with the policy. This includes changes triggered by an expired password (see Password Expiration Policy) and changes prompted on first login (see Force Password Change on First Login).

 

 

Configuration / Fields Analysis

 

Setting Name and Type

Display name: Password Strength

Type: Single-select dropdown — exactly one option must be active at a time.

Scope: Institution-wide. The same level applies to all user roles and all academic periods.

 

Available Options

The dropdown offers five levels, listed from least restrictive to most restrictive:

 

Option 1 — Blank (No Requirement)

Numeric value: 0

What it means: No minimum password complexity is enforced by the system. Users can set any password, including a very simple or short one. The system displays a soft recommendation message encouraging a stronger password, but it does not block the submission.

When to use: Typically used only in test or demonstration environments. Not recommended for live institutional use, as it leaves accounts with no password protection.

Message shown to user: A recommendation is displayed suggesting the use of mixed-case letters and numbers, but the password is accepted regardless.

 

Option 2 — Very Weak

Numeric value: 1

What it means: The password must be at least 5 characters long. No other composition requirements are enforced. Any combination of characters that reaches 5 in length is accepted.

When to use: Suitable for environments where accessibility is prioritised over strict security, for example, portal accounts for very young students where memorability is the primary concern.

Message shown to user: If the password is shorter than 5 characters, a recommendation message is displayed (same as Blank level). The password is blocked only if it is too short.

 

Option 3 — Weak

Numeric value: 2

What it means: The password must be at least 5 characters long and must satisfy at least two of the following four conditions:

  • The password is 8 or more characters long.
  • The password contains at least one letter (uppercase or lowercase).
  • The password contains at least one digit (0–9).
  • The password contains at least one special character (e.g. ! @ # $ % ^ & * ? _ ~ – £ ( ) . ,).

When to use: A light minimum that excludes entirely single-category passwords (e.g. all letters with no numbers).

Message shown to user: “Password must be at least 5 characters in length containing a minimum of 1 lowercase letter [a-z] or 1 uppercase letter [A-Z] or 1 numeric character [0-9] or 1 special character.”

 

Option 4 — Medium

Numeric value: 3

What it means: The password must be at least 5 characters long and must satisfy at least three of the four conditions listed under the Weak level above. In practical terms, this typically requires letters plus both a digit and a special character (or 8+ characters with two other character types).

When to use: A balanced middle ground recommended for institutions that want meaningful security without the full 8-character uppercase requirement of the Strong level. Suitable for most schools and colleges.

Message shown to user: “Password must be at least 5 characters in length containing a minimum of 1 lowercase letter [a-z] or 1 uppercase letter [A-Z] and minimum of 1 numeric character [0-9] and 1 special character.”

 

Option 5 — Strong

Numeric value: 4

What it means: The password must meet all of the following requirements simultaneously:

  • At least 8 characters long.
  • At least one uppercase letter (A–Z).
  • At least one lowercase letter (a–z).
  • At least one digit (0–9) or one special character (e.g. ! @ # $ % ^ & * ? _ ~ – £ ( ) . ,).

When to use: Recommended for institutions with higher data-protection requirements. This is also the system default when the setting has not been explicitly configured.

Message shown to user: “Password must be at least 8 characters in length containing a minimum of 1 lowercase letter [a-z] or 1 uppercase letter [A-Z] and minimum of 1 numeric character [0-9] and 1 special character.”

 

Business Logic / Behavior

 

How the System Evaluates a Password

When a user submits a new password, the system runs through the following checks in order:

  1. If the password is empty or contains only spaces, it is treated as Blank (strength level 0).
  2. If the password is shorter than 5 characters, it is classified as Very Weak (level 1). This blocks it for any policy level above Blank.
  3. For passwords of 5 or more characters, the system checks a set of four conditions and assigns a score from 0 to 4 — one point per condition met:
    • Condition A: Password is 8 or more characters long. (+1 point)
    • Condition B: Password contains at least one letter, in any case. (+1 point)
    • Condition C: Password contains at least one digit (0–9). (+1 point)
    • Condition D: Password contains at least one special character. (+1 point)
  4. Additionally, if the password is 8+ characters with at least one uppercase letter, one lowercase letter, and at least one digit or special character, it is automatically classified as Strong (level 4), regardless of the score.
  5. The computed strength level is compared against the configured policy. If the password’s strength is lower than the policy level, it is rejected and the user sees the corresponding error message.

 

Default Behaviour When the Setting Is Not Configured

If no administrator has ever saved a value for this setting, the system defaults to enforcing the Strong level. This built-in fallback ensures that a newly created institution or a freshly copied configuration is not left without a password policy.

 

Policy Scope: What It Does and Does Not Affect

The Password Strength setting affects newly entered passwords only. It does not:

  • Invalidate or expire existing passwords that were set before the policy was changed.
  • Force users who already have accounts to change their password immediately (this is controlled separately by the Password Expiration Policy and the Force Password Change on First Login settings).
  • Vary by user role — all portal users (Students, Parents/Guardians, Teachers, Staff) are subject to the same level.
  • Vary by academic period — it is an institution-level setting that applies at all times.

 

Recognised Special Characters

For the purpose of this policy, the following characters count as special characters:

! @ # $ % ^ & * ? _ ~ – £ ( ) . ,

 

Related Settings and Pre-requisites

The Password Strength setting works alongside other security settings. Understanding the interaction between them helps administrators design a coherent account-security policy:

  • Force Password Change on First Login — When enabled, new users are prompted to set a new password the first time they log in. The password they choose at that point must comply with the Password Strength Policy.
  • Password Expiration Policy — Sets the number of days after which a user’s password must be changed. When the user changes their expired password, the new password must comply with the Password Strength Policy. If set to 0, passwords never expire.
  • Use Mobile Phone Number as First-Time Password — When enabled, the user’s mobile number is used as their initial password. Because this initial password is system-generated and may not comply with the strength policy, the combination of this setting with Force Password Change on First Login is recommended: the user will be prompted to choose a compliant password on their first login.
  • Two-Factor Authentication — Operates independently. Password strength and two-factor authentication are complementary controls and do not affect each other’s behaviour.

 

K-12 Mode vs. Higher Education Mode

The Password Strength Policy behaves identically in both K-12 mode and Higher Education mode (the mode controlled by the Enable Configuration for Higher Education setting). There is no difference in enforcement logic, available options, or error messages between the two modes. Administrators in both contexts configure and read this setting in the same way.

 

Examples

Example 1 — Policy Set to Strong (Default Recommended Setting)

An institution has configured Password Strength to Strong.

A student completes the online registration form and enters the password “sunshine” (8 lowercase characters). Even though it is 8 characters long, it fails the Strong requirement because it contains no uppercase letters, no digits, and no special characters.

The system displays: “Password must be at least 8 characters in length, containing a minimum of 1 lowercase letter or 1 uppercase letter, and a minimum of 1 numeric character and 1 special character.”

The student tries again with “Sunshine7!”. This password has 10 characters, one uppercase letter (S), lowercase letters, a digit (7), and a special character (!). All conditions are satisfied, and the registration is completed successfully.

 

Example 2 — Policy Set to Medium

An institution serving younger learners configures Password Strength to Medium, accepting that 5-character passwords are sufficient, provided they mix character types.

A parent resets their forgotten password and enters “open1!” (6 characters: lowercase letters, a digit, and a special character). The system scores this as: letters ✓, digit ✓, special character ✓ — three conditions met. The password passes Medium, and the reset succeeds.

If the parent had instead entered “open12” (no special characters), only two conditions would be met (letters and digits), resulting in a Weak score. The system would reject it and display the Medium-level error message.

 

Example 3 — Policy Set to Blank (Not Recommended for Live Environments)

A test environment is configured with Password Strength set to Blank so that administrators can quickly create and test accounts without being blocked by password rules.

A tester enters “abc” as the password. The system accepts it and displays a soft recommendation message only. No error is generated, and the account is created. In a production environment, this level would leave accounts vulnerable and is not recommended.

 

Example 4 — Interaction with Force Password Change on First Login

An institution uses Use Mobile Phone Number as First-Time Password together with Force Password Change on First Login, and has Password Strength set to Strong.

A new teacher’s account is created. Their initial password is set automatically to their mobile number (e.g., “07712345678”). On their first login, the system immediately prompts them to set a new password. The mobile number is not validated for strength at account creation time. However, the new password the teacher enters at first login must meet the Strong requirement. If they enter “newpassword” (all lowercase, no digit or special character), the system rejects it. If they enter “NewPass9!”, it is accepted.

 

Notes

  • Changing the policy level takes effect immediately for all new password entries, but does not invalidate passwords already stored in the system.
  • The policy applies equally to all user types: Students, Parents/Guardians, Teachers, Secretarial staff, and any other portal role.
  • The setting is per-institution and does not vary between academic periods or branches of the same institution that share a single configuration.
  • There is no visual strength indicator (password meter) configurable through this setting; the setting controls only whether a password is accepted or rejected, not how feedback is presented in the form.
  • If the institution uses an external identity provider (SSO/OAuth) for login, users authenticating exclusively through that provider are not subject to Classter’s password strength check, because they set their password in the external system.
  • The Blank and Very Weak levels both display a recommendation message rather than a hard error. The practical difference is that Blank accepts even empty passwords, while Very Weak enforces a 5-character minimum.
  • This setting has no K-12 / Higher Education mode distinction — the behaviour is identical in both configurations.

 

Tags
Password, Security, Setting, User
Was this article helpful?